Network Working Group D. Eastlake 3rd
Request for Comments: 4634 Motorola Labs
Updates: 3174 T. Hansen
Category: Informational AT&T Labs
July 2006
US Secure Hash Algorithms (SHA and HMAC-SHA)
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The United States of America has adopted a suite of Secure Hash
Algorithms (SHAs), including four beyond SHA-1, as part of a Federal
Information Processing Standard (FIPS), specifically SHA-224 (RFC
3874), SHA-256, SHA-384, and SHA-512. The purpose of this document
is to make source code performing these hash functions conveniently
available to the Internet community. The sample code supports input
strings of arbitrary bit length. SHA-1's sample code from RFC 3174
has also been updated to handle input strings of arbitrary bit
length. Most of the text herein was adapted by the authors from FIPS
180-2.
Code to perform SHA-based HMACs, with arbitrary bit length text, is
also included.
Eastlake 3rd & Hansen Informational [Page 1]
RFC 4634 SHAs and HMAC-SHAs July 2006
Table of Contents
1. Overview of Contents ............................................3
1.1. License ....................................................4
2. Notation for Bit Strings and Integers ...........................4
3. Operations on Words .............................................5
4. Message Padding and Parsing .....................................6
4.1. SHA-224 and SHA-256 ........................................7
4.2. SHA-384 and SHA-512 ........................................8
5. Functions and Constants Used ....................................9
5.1. SHA-224 and SHA-256 ........................................9
5.2. SHA-384 and SHA-512 .......................................10
6. Computing the Message Digest ...................................11
6.1. SHA-224 and SHA-256 Initialization ........................11
6.2. SHA-224 and SHA-256 Processing ............................11
6.3. SHA-384 and SHA-512 Initialization ........................13
6.4. SHA-384 and SHA-512 Processing ............................14
7. SHA-Based HMACs ................................................15
8. C Code for SHAs ................................................15
8.1. The .h File ...............................................18
8.2. The SHA Code ..............................................24
8.2.1. sha1.c .............................................24
8.2.2. sha224-256.c .......................................33
8.2.3. sha384-512.c .......................................45
8.2.4. usha.c .............................................67
8.2.5. sha-private.h ......................................72
8.3. The HMAC Code .............................................73
8.4. The Test Driver ...........................................78
9. Security Considerations .......................................106
10. Normative References .........................................106
11. Informative References .......................................106
Eastlake 3rd & Hansen Informational [Page 2]
RFC 4634 SHAs and HMAC-SHAs July 2006
1. Overview of Contents
NOTE: Much of the text below is taken from [FIPS180-2] and assertions
therein of the security of the algorithms described are made by the
US Government, the author of [FIPS180-2], and not by the authors of
this document.
The text below specifies Secure Hash Algorithms, SHA-224 [RFC3874],
SHA-256, SHA-384, and SHA-512, for computing a condensed
representation of a message or a data file. (SHA-1 is specified in
[RFC3174].) When a message of any length < 2^64 bits (for SHA-224
and SHA-256) or < 2^128 bits (for SHA-384 and SHA-512) is input to
one of these algorithms, the result is an output called a message
digest. The message digests range in length from 224 to 512 bits,
depending on the algorithm. Secure hash algorithms are typically
used with other cryptographic algorithms, such as digital signature
algorithms and keyed hash authentication codes, or in the generation
of random numbers [RFC4086].
The four algorithms specified in this document are called secure
because it is computationally infeasible to (1) find a message that
corresponds to a given message digest, or (2) find two different
messages that produce the same message digest. Any change to a
message in transit will, with very high probability, result in a
different message digest. This will result in a verification failure
when the secure hash algorithm is used with a digital signature
algorithm or a keyed-hash message authentication algorithm.
The code provided herein supports input strings of arbitrary bit
length. SHA-1's sample code from [RFC3174] has also been updated to
handle input strings of arbitrary bit length. See Section 1.1 for
license information for this code.
Section 2 below defines the terminology and functions used as
building blocks to form these algorithms. Section 3 describes the
fundamental operations on words from which these algorithms are
built. Section 4 describes how messages are padded up to an integral
multiple of the required block size and then parsed into blocks.
Section 5 defines the constants and the composite functions used to
specify these algorithms. Section 6 gives the actual specification
for the SHA-224, SHA-256, SHA-384, and SHA-512 functions. Section 7
provides pointers to the specification of HMAC keyed message
authentication codes based on the SHA algorithms. Section 8 gives
sample code for the SHA algorithms and Section 9 code for SHA-based
HMACs. The SHA-based HMACs will accept arbitrary bit length text.
Eastlake 3rd & Hansen Informational [Page 3]
RFC 4634 SHAs and HMAC-SHAs July 2006
1.1. License
Permission is granted for all uses, commercial and non-commercial, of
the sample code found in Section 8. Royalty free license to use,
copy, modify and distribute the software found in Section 8 is
granted, provided that this document is identified in all material
mentioning or referencing this software, and provided that
redistributed derivative works do not contain misleading author or
version information.
The authors make no representations concerning either the
merchantability of this software or the suitability of this software
for any particular purpose. It is provided "as is" without express
or implied warranty of any kind.
2. Notation for Bit Strings and Integers
The following terminology related to bit strings and integers will be
used:
a. A hex digit is an element of the set {0, 1, ... , 9, A, ... ,
F}. A hex digit is the representation of a 4-bit string.
Examples: 7 = 0111, A = 1010.
b. A word equals a 32-bit or 64-bit string, which may be
represented as a sequence of 8 or 16 hex digits, respectively.
To convert a word to hex digits, each 4-bit string is converted
to its hex equivalent as described in (a) above. Example:
1010 0001 0000 0011 1111 1110 0010 0011 = A103FE23.
Throughout this document, the "big-endian" convention is used
when expressing both 32-bit and 64-bit words, so that within
each word the most significant bit is shown in the left-most bit
position.
c. An integer may be represented as a word or pair of words.
An integer between 0 and 2^32 - 1 inclusive may be represented
as a 32-bit word. The least significant four bits of the
integer are represented by the right-most hex digit of the word
representation. Example: the integer 291 = 2^8+2^5+2^1+2^0 =
256+32+2+1 is represented by the hex word 00000123.
The same holds true for an integer between 0 and 2^64-1
inclusive, which may be represented as a 64-bit word.
Eastlake 3rd & Hansen Informational [Page 4]
RFC 4634 SHAs and HMAC-SHAs July 2006
If Z is an integer, 0 <= z < 2^64, then z = (2^32)x + y where 0
<= x < 2^32 and 0 <= y < 2^32. Since x and y can be represented
as words X and Y, respectively, z can be represented as the pair
of words (X,Y).
d. block = 512-bit or 1024-bit string. A block (e.g., B) may be
represented as a sequence of 32-bit or 64-bit words.
3. Operations on Words
The following logical operators will be applied to words in all four
hash operations specified herein. SHA-224 and SHA-256 operate on
32-bit words, while SHA-384 and SHA-512 operate on 64-bit words.
In the operations below, x<